Online privacy in jeopardy

Phone apps help themselves to our contacts, Google tracks our Web history, and supermarkets may know you are pregnant before you yourself do. Can anything stop the great data grab?

By Charles Arthur / The Guardian

lllustration: June Hsu

If you use a smartphone and download apps, as half the UK population does now, you’ve probably used an app which pops up a dialog box asking “Find your friends?” and offering to search some new social network — or one of the more familiar ones — for people you already know.

It’s easy and quick to click on the “OK” button, but do you know what’s happening once you do? This is where you suddenly discover that what you thought you knew about your online privacy is wrong — or at best, incomplete.

In mid-February, an Indian researcher, Arun Thampi, figured out what was happening when Path, a would-be social network app for Apple’s iPhone for “sharing your life,” asked that question. It was uploading the entire contents of your address book — names, e-mails, phone numbers — to Path’s servers.

The outcry over this data grab was rapid and widespread — at least among the Silicon Valley digerati and those who watch them. Path’s chief executive wrote a mea culpa blogpost, the company updated its app so it wouldn’t upload all the data, and everything seemed calm.

Then Dustin Curtis, a user interface designer, pointed out that loads of apps do this. On his blog, he noted: “I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company’s database has Mark Zuckerberg’s cellphone number, Larry Ellison’s home phone number and Bill Gates’ cellphone number.”

However, he added: “This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.”

More digging showed that Facebook, Instagram, Yelp and location service Gowalla did it too. It seemed like it would be easier to list the apps that didn’t do it.

For those feeling suddenly itchy about their privacy, there was more to come. A few days after Curtis’ blog, Twitter admitted that it too grabbed address book data (though only, it said, your friends’ e-mail addresses and phone numbers); the purpose being just to find people you already know who might already be, or will be, members of the service.

Jon Leibowitz, the chairman of the US’ powerful Federal Trade Commission, summed it up in a sentence: “Right now, it is almost impossible to figure out which apps collect data and what they do with it.”

Apple chewed this over silently for a week and then announced that a forthcoming update of the iPhone and iPad software would prevent this.

However, just as another privacy storm seemed to have come and gone, another arrived: Jonathan Mayer, who researches online privacy at Stanford University, discovered that Google had hacked past the default privacy settings of Apple’s browsers on the iPhone, iPad and desktop so it could track people’s use of the Web, whether or not they were signed into its services. That also meant that its advertising arm DoubleClick could follow them too. Adding to the appearance of culpability, as soon as the Wall Street Journal, following up Mayer’s discovery, contacted Google, it stopped doing it. In recent weeks, only Facebook has emerged without immediate criticism.

Still, the damage has been done.

“Between the Path debacle and Google’s Safari cookies, [Silicon] Valley’s moral bankruptcy on privacy was made obvious,” James Grimmelmann, an associate professor at New York Law School, said on Twitter.